Oregon FBI Tech Tuesday: Think passphrases, not passwords

Easier to remember, harder for hackers to crack

PORTLAND, Ore. - This week's Oregon FBI' Tech Tuesday segment focuses on building a digital defense with strong passwords.

If you are like most of the rest of us, remembering the 50,000 passwords you are required to use each day can be overwhelming. So overwhelming, in fact, that many people just use the same password -- or a variation of one -- over and over again. Regardless of how many special characters, numbers and capital letters that you put into it -- it is still the same password, over and over again.

The people at the National Institute of Standards and Technology, an agency within the U.S. Department of Commerce, say that's not good enough. According to NIST researchers, more than 80 percent of hacking-related breaches used stolen or weak passwords.

Using the same few passwords over multiple platforms, apps, websites and the like is dangerous. Even when you are required to change the password every 90 or 120 days, that's usually not much help because most people just change a single character or add a number at the end of the old password.

So -- what does NIST recommend now? According to those government researchers:

Your password needs to be at least eight characters, but generally the longer the better. They suggest using passphrases, not single words.

For instance, think of a crazy picture in your head such as "purple cows swim with bananas." You now have a 25-character password that is much stronger than a six-character password with special symbols, numbers and capitals. And, as a bonus, you are more likely to remember it. Easier for you -- harder for hackers.

Focus on your most important accounts -- such as your email and bank accounts. Give each of these a unique passphrase.

Don't rely on passwords alone. Two-factor authentication is your friend. This requires something you know -- like a password PLUS something you get -- like a randomly generated PIN or code sent to your phone or hard token. If you can set one up on any particular account -- do so.

Don't want to deal with any of this? Consider using a reputable password manager. That's software or an app that generates unique passwords for every one of your accounts.

In the end, remember that there is no perfect system, but there are simple things you can do to make it more difficult for hackers to enter your virtual home.

If you have been victimized by an online scam, be sure to report it to the FBI's Internet Crime Complaint Center at or call your local FBI office.

By clicking Submit users are agreeing to follow the Terms of Service
comments powered by Disqus

Most Popular Stories